High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in LibreOffice which could be exploited to perform denial of service (DoS) attacks.

1) Multiple vulnerabilities in LibreOffice: CVE-2012-42331.1 NULL pointer dereference error was found in the vcllo.dll while processing .odt files. A remote attacker can create a specially crafted .odt file, trick a user into opening that file and terminate the application.

1.2 Null pointer dereference error was found in svxcorelo.dll while processing the ODG (Drawing document) files. A remote attacker can create a specially crafted ODG file, trick a user into opening that file and terminate the application.

1.3 Null pointer dereference error was found in tllo.dll when handling the PolyPolygon record within embedded .wmf file in the Microsoft PowerPoint 2003 (PPT) files. A remote attacker can create a specially crafted .ppt file, trick a user into opening that file and terminate the application.

Technical detailsThe malformed PPT file calls the tllo!Polygon::Polygon function and makes a subsequent call to the MSVCR90!memcpy procedure. The procedure inherits the value from the ESI pointer which references to an invalid or corrupted memory which leads to crash of entire application.

Proof of ConceptPlease see the attached file: HTB23106-PPT.rarPassword: high-tech-bridge

1.4 Null pointer dereference error was found in scfiltlo.dll while processing the Microsoft Excel 2003 (XLS) files. A remote attacker can create a specially crafted XLS file, trick a user into opening that file and terminate the application.

Proof of ConceptPlease see the attached file: HTB23106-XLS.rarPassword: high-tech-bridge

Attack vectors These vulnerabilities require that user opens a specially crafted file with an affected version of LibreOffice Suite software. An attacker could use several ways to deliver malicious file to the system. In a web-based scenario, an attacker could host a file on a website or WebDav share and trick a user into downloading and opening this file.In an email scenario, an attacker could exploit this vulnerability by sending an email with attached malicious file.

Solution:

Upgrade to LibreOffice 3.5.7.2 http://www.libreoffice.org/download/

More Information: http://www.libreoffice.org/advisories/cve-2012-4233/

References:

[1] High-Tech Bridge Advisory HTB23106 - https://www.htbridge.com/advisory/HTB23106 - Denial of Service Vulnerability in LibreOffice [2] LibreOffice - http://www.libreoffice.org - LibreOffice is the power-packed free and open source personal productivity suite for Windows, Macintosh and GNU/Linux. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Have additional information to submit? Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.